Updated in September 2018

Not all undocumented Windows structures are equally undocumented. Most prominent
ones have some official disclosure—certainly not documentation, but disclosure nonetheless—through
type information in the public symbol files. For a handful of prominent ones type
information has made it into the public symbol files only for a smattering of versions.
The structure in which WIN32K.SYS keeps what it knows of a process surely counts
as prominent. Yet the public symbol files for WIN32K have type information for
this structure in version 6.1 only. Worse, this type information is incorrect even
though the symbol files do match the executables. So it’s big news, relatively speaking,
that the public symbol files in the 1803 release of Windows 10 have type information
for the sub-structure at this one’s start.

It turns out that a few structures that have never or only rarely had type information
in public symbol files have it for the 1803 release. I attended to some of that
back in July, just as fallout from my articles on driver signing,
but clearly it’s (past) time for a round of updating the bookkeeping. Where are
the research students to do this?

Having Microsoft’s names and types is always welcome. Understanding anyone else’s
code is very much harder when you have to make up
names for everything. Of course, having the manufacturer’s names doesn’t mean you
should trust that what’s named truly does what the name suggests (any more than
having source code would give you the luxury of believing the comments). But a little
extra watchfulness against being misled is nothing against the extra work of inventing
good names and tracking all your changes of them as your understanding develops.

The ideal, of course, is to have not just a bare catalogue of offsets, types
and names, but some level of informed annotation—and to have it as basic, common
knowledge for all who study Windows. Why is some sort of curation not organised
by someone who has the resources to do it more frequently?

Win32

The good and bad in this is that I find small mistakes. Good because mistakes
don’t quite mortify me, but do very nearly, and it’s vital that they get corrected.
Bad because I wonder how it is that my errors aren’t pointed out much sooner (and
more frequently, for surely there are many more than I yet know). Does anyone actually
read any of this material?